Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How can I monitor VPN tunnel status through SNMP?

Resolution

A VPN tunnel can be monitored just like any other interface. If Table is polled, you can see the admin or protocol status on that interface.

This is an example of snmpwalk on ifTable:

# snmpget foo.cisco.com ifDescr.3 ifOperStatus.3 ifAdminStatus.3

ifDescr.3 : DISPLAY STRING: Tunnel0

ifOperStatus.3 : INTEGER: up

ifAdminStatus.3 : INTEGER: up

You can also set up traps for the tunnel. These are the traps that are available from CISCO-IPSEC-FLOW-MONITOR-MIB:

enterprise 1.3.6.1.4.1.9.9.171.2
1 cikeTunnelStart
2 cikeTunnelStop
3 cikeSysFailure
4 cikeCertCrlFailure
5 cikeProtocolFailure
6 cikeNoSa
7 cipSecTunnelStart
8 cipSecTunnelStop
9 cipSecSysFailure
10 cipSecSetUpFailure
11 cipSecEarlyTunTerm
12 cipSecProtocolFailure
13 cipSecNoSa

These are the traps that are available from CISCO-IPSEC-MIB:

enterprise 1.3.6.1.4.1.9.10.62.2
1 cipsIsakmpPolicyAdded
2 cipsIsakmpPolicyDeleted
3 cipsCryptomapAdded
4 cipsCryptomapDeleted
5 cipsCryptomapSetAttached
6 cipsCryptomapSetDetached
7 cipsTooManySAs

These are the traps that are available from CISCO-PORT-SECURITY-MIB:

enterprise 1.3.6.1.4.1.9.9.315
1 cpsSecureMacAddrViolation

Turn on the traps for IPSEC, as shown:

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

Refer to Monitoring and Maintaining VPN session section of  VPN Tunnel Management to monitor and maintain the VPN session.

Version history
Revision #:
1 of 1
Last update:
‎06-18-2009 03:56 PM
Updated by:
 
Labels (1)
Everyone's tags (4)
Comments
New Member

Hi,

Are these traps available on the Cisco VPN Concentrator and ASA?

Regards

New Member

I'm curios on how you stop the tunnel number from being redone every time there is a re-key of the tunnel.